Cyber Incident Victim: Crunchyroll

On March 23, 2026, rumors began circulating on social media alleging that Crunchyroll had suffered a cyberattack, prompting the streaming service to issue a statement acknowledging the claims and saying it was working with cybersecurity experts to investigate. According to a report from Cyber Security News cited in multiple outlets, the alleged intrusion was said to have occurred in mid‑March through Telus, a third‑party provider that supplies digital operational support services to Crunchyroll and other large companies. The report claimed that a threat actor had infected a system with malware, which potentially allowed access to billing information, email addresses, and IP addresses. A Crunchyroll spokesperson told CNET that the company was aware of the recent claims and was collaborating with leading cybersecurity experts to examine the matter. In a separate statement to another outlet, the spokesperson said the investigation was ongoing and that, at that time, the information appeared to be limited to customer service ticket data stemming from an incident with a third‑party vendor.

The threat actor who spoke to Cyber Digest asserted that the breach began on March 12, 2026, after an employee at Telus, Crunchyroll’s business process outsourcing partner, executed malware on their workstation, giving the attacker a foothold inside Crunchyroll’s internal environment. From that point, the actor claimed to have moved laterally into sensitive customer‑facing systems, including the company’s ticketing infrastructure, and to have exfiltrated approximately 100 gigabytes of personally identifiable information. The exfiltrated data sample analyzed by Cyber Digest reportedly contained IP addresses, email addresses, credit card details, and customer analytics data. The threat actor stated that Crunchyroll detected and revoked the unauthorized access roughly 24 hours after the initial intrusion, although the volume of data taken suggested a pre‑planned and rapid operation. Despite the alleged breach, the actor said Crunchyroll had ignored all communications about the incident and had not made any public disclosure to affected subscribers. The actor also noted that Crunchyroll was already facing a class‑action lawsuit filed in early 2026 over accusations of sharing user viewing data with third‑party marketing platforms.

Crunchyroll’s public responses have consistently emphasized that its investigation is ongoing and that it continues to work with leading cybersecurity experts to assess the situation. The company has stated that it has not identified evidence of ongoing access to its systems related to the claims and that it is monitoring the matter closely. While the threat actor alleges that 100 GB of data was taken from Crunchyroll’s customer analytics environment and ticketing system, Crunchyroll has maintained that the information involved is primarily limited to customer service ticket data from the third‑party vendor incident. The company has not publicly confirmed a data breach, nor has it issued a formal notification to users about the alleged exposure of personal information. These statements were made in the days following the initial rumors, with the most recent comment appearing on March 24, 2026.